An architectural decision must be made to determine the appropriate method to protect data at rest. There are such wide variety of products, methods and mechanisms for cryptographic storage that this cheat sheet will only focus on low-level guidelines for developers and architects who are implementing cryptographic solutions. We will not address specific vendor solutions, nor will we address the design of cryptographic algorithms.

+

An architectural decision must be made to determine the appropriate method to protect data at rest. There are such wide varieties of products, methods and mechanisms for cryptographic storage. This cheat sheet will only focus on low-level guidelines for developers and architects who are implementing cryptographic solutions. We will not address specific vendor solutions, nor will we address the design of cryptographic algorithms.

= Providing Cryptographic Functionality =

= Providing Cryptographic Functionality =

Line 17:

Line 17:

=== Rule - Only store sensitive data that you need ===

=== Rule - Only store sensitive data that you need ===

−

Many eCommerce businesses use payment providers that store the credit card for recurring billing. This offloads the burden of keeping credit card numbers safe.

+

Many eCommerce businesses utilize third party payment providers to store credit card information for recurring billing. This offloads the burden of keeping credit card numbers safe.

=== Rule - Only use strong cryptographic algorithms ===

=== Rule - Only use strong cryptographic algorithms ===

−

Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Do not use weak algorithms, such as MD5 / SHA1/ Favor safer. The definition of a "strong" cryptographic algorithms change over time.

+

Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Do not use weak algorithms, such as MD5 or SHA1. Note that the classification of a "strong" cryptographic algorithm can change over time.

http://csrc.nist.gov/groups/STM/cavp/index.html

http://csrc.nist.gov/groups/STM/cavp/index.html

−

This is a good default if one doesn't have AES and one of the authenticated encryption modes that provide confidentiality and authenticity (i.e., data origin authentication) such as CCM, EAX, CMAC, etc. For Java, if you are using SunJCE that will be the case. The cipher modes supported in JDK 1.5 and later are CBC, CFB, CFBx, CTR, CTS, ECB, OFB, OFBx, PCBC, None of these cipher modes are authentication encryption modes. (That's why I added it explicitly.) If you are using an alternate JCE provider such as Bouncy Castle, RSA JSafe, IAIK, etc then some of these authentication encryption modes probably should be preferred.

+

The CAVP program located at the above link is a good default place to go for validation of cryptographic algorithms when one does not have AES or one of the authenticated encryption modes that provide confidentiality and authenticity (i.e., data origin authentication) such as CCM, EAX, CMAC, etc. For Java, if you are using SunJCE that will be the case. The cipher modes supported in JDK 1.5 and later are CBC, CFB, CFBx, CTR, CTS, ECB, OFB, OFBx, PCBC. None of these cipher modes are authenticated encryption modes. (That's why it is added explicitly.) If you are using an alternate JCE provider such as Bouncy Castle, RSA JSafe, IAIK, etc., then some of these authenticated encryption modes probably should be preferred.

−

Use salts when appropriate. Note that integrity should use a MAC such as HMAC-SHA1 or even better, HMAC-SHA256.

+

Use salts when appropriate. Note that integrity should use a MAC such as HMAC-SHA256 or HMAC-SHA512 which is a better choice.

Ensure that all random numbers, random file names, random GUIDs, and random strings are generated in a cryptographically strong fashion. Also ensure that random algorithms are seeded with sufficient entropy.

Ensure that all random numbers, random file names, random GUIDs, and random strings are generated in a cryptographically strong fashion. Also ensure that random algorithms are seeded with sufficient entropy.

−

−

==== Rule - Use independent keys when multiple keys are required ====

−

−

Ensure that key material is independent. That is, do not choose a second key which is easily related to the first (or any preceeding) keys.

Do not implement an existing cryptographic algorithm on your own, no matter how easy it appears. Use widely accepted algorithms and widely accepted implementations only. Ensure that an implementation has, at least, had some cryptography experts involved in its creation. If possible, use an implementation that is FIPS 140-2 certified.

+

Do not implement an existing cryptographic algorithm on your own, no matter how easy it appears. Instead, use widely accepted algorithms and widely accepted implementations. Ensure that the implementation has (at minimum) had some cryptography experts involved in its creation. If possible, use an implementation that is FIPS 140-2 certified.

==== Rule - Prefer authenticated encryption modes ====

==== Rule - Prefer authenticated encryption modes ====

−

Use cryptographic cipher modes that offer both confidentiality and authenticitity. Modes which provide both confidentiality and authenticitity include CWC, CCM, GCM, and EAX. CWC is a single pass algorithm, meaning the data is encrypted and the authenticity tag is created in a single pass over the data. Unfortunately, CWC is patented and claims the single pass as an innovation. To side step the patent, CCM, GCM, EAX and others do not make a single pass to encrypt the data and produce the authentication tag.

+

Use cryptographic cipher modes that offer both confidentiality and authenticity. Recommended modes include counter with CBC-MAC (CCM) mode and Galois/counter mode (GCM). These authenticated encryption (AE) modes resist padding oracle attacks which can be used in many cases to recover plaintext from ciphertext without knowledge of the encryption key.

−

If not using an auntenticated encryption mode, a confidentiality mode should be used with a message authentication code. Industry accepted confidentiality-only modes of operations include ECB, CBC, CFB, OFB, and CTR. When using a confidentiality-only mode, one must use an additional cryptographic primitive to provide authenticity assurances. The additional primitive is known as a MAC, and is usually a CBC-MAC, CMAC, or HMAC.

+

If an authenticated encryption mode is not available, then the best option is to consult with a professional cryptographer. Ask the cryptographer to review and customize the system to counter padding oracle attacks. This customization will typically involve the use of a message authentication code (MAC) that must be carefully employed in order to be effective.

−

ECB should usually be avoided. CBC has been carefully studied, is well understood, and a readily available mode of operation.

+

In the worst case, where neither an AE mode nor a professional cryptographer are available, then the cryptography is definitely vulnerable to a padding oracle attack. The best that can be done in this situation is to design the overall system so that the decryption function is only given ciphertext that is retrieved directly from a canonical source which itself must be protected by other integrity controls. While this technique will help reduce the risk of a padding oracle attack, it does not eliminate the risk, and it should be treated as a temporary workaround until an AE-based solution can be implemented.

−

If using a cipher mode that treats a block cipher as a streaming mode, such as OFB or CFB, be careful not to repeat the IV for the same encryption key.

+

When selecting a cryptographic mode for this worse case, cipher-block chaining (CBC) mode is a strong choice as it has been carefully studied, is well understood, and is readily available in many cryptographic APIs. In all cases avoid the electronic codebook (ECB) mode. If using cipher modes that create streaming ciphers from block ciphers, such as the output feedback (OFB) or cipher feedback (CFB) modes, be careful not to repeat the IV for the same encryption key.

−

When pairing a mode with a MAC, care must be taken so that the composition is secure. In 2001, Hugo Krawczyk published ''The Order of Encryption and Authentication for Protecting Communications''. In the paper, Krawczyk examined three commonly used methods of ensuring data integrity used by IPSec, SSL, and SSH. Krawczyk was able to prove that '''Encrypt then Authenticate (EtA)''', used IPSec, was generically secure; '''Authenticate then Encrypt (AtE)''', utilized by SSL, could be secure if composited correctly; and '''Encrypt and Authenticate (E&A)''', employed by SSH, was not secure.

+

See [http://www.cryptopp.com/wiki/Authenticated_Encryption Authenticated Encryption] on the Crypto++ wiki for a more complete discussion of the technique. NIST's CRSC [http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html Current Modes] and [http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html Modes Development] documents offer an abbreviated list of cipher modes. Additional block cipher modes can be found in Wikipedia's [http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation Block cipher modes of operation] article.

−

+

−

See the "see also" section of <http://en.wikipedia.org/wiki/Authenticated_encryption> for a list of such cipher modes.

If the keys are stored with the data then any compromise of the data will easily compromise the keys as well. Unencrypted keys should never reside on the same machine or cluster as the data.

If the keys are stored with the data then any compromise of the data will easily compromise the keys as well. Unencrypted keys should never reside on the same machine or cluster as the data.

+

+

==== Rule - Use independent keys when multiple keys are required ====

+

+

Ensure that key material is independent. That is, do not choose a second key which is easily related to the first (or any preceeding) keys.

+

==== Rule - Protect keys in a key vault ====

==== Rule - Protect keys in a key vault ====

−

Keys should remain in a protected key vault at all times. In particular, ensure that there is a gap between the threat vectors with direct access to the data and the threat vectors with direct access to the keys. This implies that keys should not be stored on the application or web server (assuming that application attackers are part of the relevant threat model).

+

Keys should remain in a protected key vault at all times. In particular, ensure that there is a gap between the threat vectors that have direct access to the data and the threat vectors that have direct access to the keys. This implies that keys should not be stored on the application or web server (assuming that application attackers are part of the relevant threat model).

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The standard was introduced in 2005 and replaced individual compliance standards from Visa, Mastercard, Amex, JCB and Diners. The current version of the standard was introduced in 2008 and an update to the standard is expected in 2010.

+

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The standard was introduced in 2005 and replaced individual compliance standards from Visa, Mastercard, Amex, JCB and Diners. The current version of the standard is 2.0 and was initialized on January 1, 2011.

PCI DSS requirement 3 covers secure storage of credit card data. This requirement covers several aspects of secure storage including the data you must never store but we are covering Cryptographic Storage which is covered in requirements 3.4, 3.5 and 3.6 as you can see below:

PCI DSS requirement 3 covers secure storage of credit card data. This requirement covers several aspects of secure storage including the data you must never store but we are covering Cryptographic Storage which is covered in requirements 3.4, 3.5 and 3.6 as you can see below:

Line 113:

Line 108:

''Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). SHA-1 is an example of an industry-tested and accepted hashing algorithm. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher).''

''Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). SHA-1 is an example of an industry-tested and accepted hashing algorithm. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher).''

−

If you have implemented the second rule in this cheat sheet you will have implemented a strong cryptographic algorithm which is compliant with or stronger than the requirements of PCI DSS requirement 3.4 You need to ensure that you identify all locations that card data could be stored including logs and apply the appropriate level of protection. This could range from encrypting the data to replacing the card number in logs.

+

If you have implemented the second rule in this cheat sheet you will have implemented a strong cryptographic algorithm which is compliant with or stronger than the requirements of PCI DSS requirement 3.4. You need to ensure that you identify all locations that card data could be stored including logs and apply the appropriate level of protection. This could range from encrypting the data to replacing the card number in logs.

This requirement can also be met by implementing disk encryption rather than file or column level encryption. The requirements for '''Strong Cryptography''' are the same for disk encryption and backup media. The card data should never be stored in the clear and by following the guidance in this cheat sheet you will be able to securely store your data in a manner which is compliant with PCI DSS requirement 3.4

This requirement can also be met by implementing disk encryption rather than file or column level encryption. The requirements for '''Strong Cryptography''' are the same for disk encryption and backup media. The card data should never be stored in the clear and by following the guidance in this cheat sheet you will be able to securely store your data in a manner which is compliant with PCI DSS requirement 3.4

−

'''3.5 Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse'''

+

'''3.5 Protect any keys used to secure cardholder data against disclosure and misuse'''

−

As the requirement name above indicates we are required to securely store the encryption keys themselves. This will mean implementing strong access control, auditing and logging for your keys. The keys must be stored in a location which is both secure and "away" from the encrypted data, this means key data shouldn't be stored on web servers, database servers etc

+

As the requirement name above indicates, we are required to securely store the encryption keys themselves. This will mean implementing strong access control, auditing and logging for your keys. The keys must be stored in a location which is both secure and "away" from the encrypted data. This means key data shouldn't be stored on web servers, database servers etc

Access to the keys must be restricted to the smallest amount of users possible. This group of users will ideally be users who are highly trusted and trained to perform Key Custodian duties. There will obviously be a requirement for system/service accounts to access the key data to perform encryption/decryption of data.

Access to the keys must be restricted to the smallest amount of users possible. This group of users will ideally be users who are highly trusted and trained to perform Key Custodian duties. There will obviously be a requirement for system/service accounts to access the key data to perform encryption/decryption of data.

Line 131:

Line 126:

'''3.6.1 Generation of strong cryptographic keys'''

'''3.6.1 Generation of strong cryptographic keys'''

−

As we have previously described in this cheat sheet we need to use algorithms which offer high levels of data security. We must also generate strong keys so that the security of the data isn't undermined by weak cryptographic keys. A strong key is generated by using a key length which is sufficient for your data security requirements and compliant with the PCI&nbsp;DSS. The key size alone isn't a measure of the strength of a key. The data used to generate the key must be sufficiently random ("sufficient" often being determined by your data security requirements) and the entropy of the key data itself must be high.<br>

+

As we have previously described in this cheat sheet we need to use algorithms which offer high levels of data security. We must also generate strong keys so that the security of the data isn't undermined by weak cryptographic keys. A strong key is generated by using a key length which is sufficient for your data security requirements and compliant with the PCI DSS. The key size alone isn't a measure of the strength of a key. The data used to generate the key must be sufficiently random ("sufficient" often being determined by your data security requirements) and the entropy of the key data itself must be high.<br>

'''3.6.2 Secure cryptographic key distribution'''

'''3.6.2 Secure cryptographic key distribution'''

Line 145:

Line 140:

The PCI DSS standard mandates that keys used for encryption must be rotated at least annually. The key rotation process must remove an old key from the encryption/decryption process and replace it with a new key. All new data entering the system must encrypted with the new key. While it is recommended that existing data be rekeyed with the new key, as per the Rekey data at least every one to three years rule above, it is not clear that the PCI DSS requires this.

The PCI DSS standard mandates that keys used for encryption must be rotated at least annually. The key rotation process must remove an old key from the encryption/decryption process and replace it with a new key. All new data entering the system must encrypted with the new key. While it is recommended that existing data be rekeyed with the new key, as per the Rekey data at least every one to three years rule above, it is not clear that the PCI DSS requires this.

−

'''3.6.5 Retirement or replacement of old or suspected compromised cryptographic keys'''

+

'''3.6.5 Retirement or replacement of keys as deemed necessary when the integrity of the key has been weakened or keys are suspected of being compromised'''

The key management processes must cater for archived, retired or compromised keys. The process of securely storing and replacing these keys will more than likely be covered by your processes for requirements 3.6.2, 3.6.3 and 3.6.4

The key management processes must cater for archived, retired or compromised keys. The process of securely storing and replacing these keys will more than likely be covered by your processes for requirements 3.6.2, 3.6.3 and 3.6.4

Line 157:

Line 152:

The system put in place to comply with requirement 3.6.6 can go a long way to preventing unauthorised substitution of key data. In addition to the dual control process you should implement strong access control, auditing and logging for key data so that unauthorised access attempts are prevented and logged.

The system put in place to comply with requirement 3.6.6 can go a long way to preventing unauthorised substitution of key data. In addition to the dual control process you should implement strong access control, auditing and logging for key data so that unauthorised access attempts are prevented and logged.

−

'''3.6.8 Requirement for cryptographic key custodians to sign a form stating that they understand and accept their key-custodian responsibilities'''

+

'''3.6.8 Requirement for cryptographic key custodians to sign a form stating that they understand and accept their key-custodian responsibilities '''

To perform the strong key management functions we have seen in requirement 3.6 we must have highly trusted and trained key custodians who understand how to perform key management duties. The key custodians must also sign a form stating they understand the responsibilities that come with this role.

To perform the strong key management functions we have seen in requirement 3.6 we must have highly trusted and trained key custodians who understand how to perform key management duties. The key custodians must also sign a form stating they understand the responsibilities that come with this role.

Introduction

This article provides a simple model to follow when implementing solutions for data at rest.

Architectural Decision

An architectural decision must be made to determine the appropriate method to protect data at rest. There are such wide varieties of products, methods and mechanisms for cryptographic storage. This cheat sheet will only focus on low-level guidelines for developers and architects who are implementing cryptographic solutions. We will not address specific vendor solutions, nor will we address the design of cryptographic algorithms.

Providing Cryptographic Functionality

Benefits

Basic Requirements

Secure Cryptographic Storage Design

Rule - Only store sensitive data that you need

Many eCommerce businesses utilize third party payment providers to store credit card information for recurring billing. This offloads the burden of keeping credit card numbers safe.

Rule - Only use strong cryptographic algorithms

Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Do not use weak algorithms, such as MD5 or SHA1. Note that the classification of a "strong" cryptographic algorithm can change over time.

The CAVP program located at the above link is a good default place to go for validation of cryptographic algorithms when one does not have AES or one of the authenticated encryption modes that provide confidentiality and authenticity (i.e., data origin authentication) such as CCM, EAX, CMAC, etc. For Java, if you are using SunJCE that will be the case. The cipher modes supported in JDK 1.5 and later are CBC, CFB, CFBx, CTR, CTS, ECB, OFB, OFBx, PCBC. None of these cipher modes are authenticated encryption modes. (That's why it is added explicitly.) If you are using an alternate JCE provider such as Bouncy Castle, RSA JSafe, IAIK, etc., then some of these authenticated encryption modes probably should be preferred.

Use salts when appropriate. Note that integrity should use a MAC such as HMAC-SHA256 or HMAC-SHA512 which is a better choice.

Rule - Ensure that random numbers are cryptographically strong

Ensure that all random numbers, random file names, random GUIDs, and random strings are generated in a cryptographically strong fashion. Also ensure that random algorithms are seeded with sufficient entropy.

Rule - Only use widely accepted implementations of cryptographic algorithms

Do not implement an existing cryptographic algorithm on your own, no matter how easy it appears. Instead, use widely accepted algorithms and widely accepted implementations. Ensure that the implementation has (at minimum) had some cryptography experts involved in its creation. If possible, use an implementation that is FIPS 140-2 certified.

Rule - Prefer authenticated encryption modes

Use cryptographic cipher modes that offer both confidentiality and authenticity. Recommended modes include counter with CBC-MAC (CCM) mode and Galois/counter mode (GCM). These authenticated encryption (AE) modes resist padding oracle attacks which can be used in many cases to recover plaintext from ciphertext without knowledge of the encryption key.

If an authenticated encryption mode is not available, then the best option is to consult with a professional cryptographer. Ask the cryptographer to review and customize the system to counter padding oracle attacks. This customization will typically involve the use of a message authentication code (MAC) that must be carefully employed in order to be effective.

In the worst case, where neither an AE mode nor a professional cryptographer are available, then the cryptography is definitely vulnerable to a padding oracle attack. The best that can be done in this situation is to design the overall system so that the decryption function is only given ciphertext that is retrieved directly from a canonical source which itself must be protected by other integrity controls. While this technique will help reduce the risk of a padding oracle attack, it does not eliminate the risk, and it should be treated as a temporary workaround until an AE-based solution can be implemented.

When selecting a cryptographic mode for this worse case, cipher-block chaining (CBC) mode is a strong choice as it has been carefully studied, is well understood, and is readily available in many cryptographic APIs. In all cases avoid the electronic codebook (ECB) mode. If using cipher modes that create streaming ciphers from block ciphers, such as the output feedback (OFB) or cipher feedback (CFB) modes, be careful not to repeat the IV for the same encryption key.

Rule - Store the hashed and salted value of passwords

This rule supports the principle of defense in depth. Access
controls (usernames, passwords, privileges, etc.) are one layer of
protection. Storage encryption should add an additional layer of
protection that will continue protecting the data even if an
attacker subverts the database access control layer.

Rule - Ensure that any secret key is protected from unauthorized access

Rule - Define a key lifecycle

The key lifecycle details the various states that a key will move through during its life. The lifecycle will specify when a key should no longer be used for encryption, when a key should no longer be used for decryption (these are not necessarily coincident), whether data must be rekeyed when a new key is introduced, and when a key should be removed from use all together.

Rule - Store unencrypted keys away from the encrypted data

If the keys are stored with the data then any compromise of the data will easily compromise the keys as well. Unencrypted keys should never reside on the same machine or cluster as the data.

Rule - Use independent keys when multiple keys are required

Ensure that key material is independent. That is, do not choose a second key which is easily related to the first (or any preceeding) keys.

Rule - Protect keys in a key vault

Keys should remain in a protected key vault at all times. In particular, ensure that there is a gap between the threat vectors that have direct access to the data and the threat vectors that have direct access to the keys. This implies that keys should not be stored on the application or web server (assuming that application attackers are part of the relevant threat model).

These procedures must be written down and the key custodians must be adequately trained.

Rule - Build support for changing keys periodically

Key rotation is a must as all good keys do come to an end either through expiration or revocation. So a developer will have to deal with rotating keys at some point -- better to have a system in place now rather than scrambling later. (From Bil Cory as a starting point).

Rule - Document concrete procedures to handle a key compromise

Rule - Rekey data at least every one to three years

Rekeying refers to the process of decrypting data and then re-encrypting it with a new key. Periodically rekeying data helps protect it from undetected compromises of older keys. The appropriate rekeying period depends on the security of the keys. Data protected by keys secured in dedicated hardware security modules might only need rekeying every three years. Data protected by keys that are split and stored on two application servers might need rekeying every year.

Rule - Follow applicable regulations on use of cryptography

Rule - Under PCI DSS requirement 3, you must protect cardholder data

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The standard was introduced in 2005 and replaced individual compliance standards from Visa, Mastercard, Amex, JCB and Diners. The current version of the standard is 2.0 and was initialized on January 1, 2011.

PCI DSS requirement 3 covers secure storage of credit card data. This requirement covers several aspects of secure storage including the data you must never store but we are covering Cryptographic Storage which is covered in requirements 3.4, 3.5 and 3.6 as you can see below:

Compliance with requirement 3.4 can be met by implementing any of the four types of secure storage described in the standard which includes encrypting and hashing data. These two approaches will often be the most popular choices from the list of options. The standard doesn't refer to any specific algorithms but it mandates the use of Strong Cryptography. The glossary document from the PCI council defines Strong Cryptography as:

Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). SHA-1 is an example of an industry-tested and accepted hashing algorithm. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher).

If you have implemented the second rule in this cheat sheet you will have implemented a strong cryptographic algorithm which is compliant with or stronger than the requirements of PCI DSS requirement 3.4. You need to ensure that you identify all locations that card data could be stored including logs and apply the appropriate level of protection. This could range from encrypting the data to replacing the card number in logs.

This requirement can also be met by implementing disk encryption rather than file or column level encryption. The requirements for Strong Cryptography are the same for disk encryption and backup media. The card data should never be stored in the clear and by following the guidance in this cheat sheet you will be able to securely store your data in a manner which is compliant with PCI DSS requirement 3.4

3.5 Protect any keys used to secure cardholder data against disclosure and misuse

As the requirement name above indicates, we are required to securely store the encryption keys themselves. This will mean implementing strong access control, auditing and logging for your keys. The keys must be stored in a location which is both secure and "away" from the encrypted data. This means key data shouldn't be stored on web servers, database servers etc

Access to the keys must be restricted to the smallest amount of users possible. This group of users will ideally be users who are highly trusted and trained to perform Key Custodian duties. There will obviously be a requirement for system/service accounts to access the key data to perform encryption/decryption of data.

The keys themselves shouldn't be stored in the clear but encrypted with a KEK (Key Encrypting Key). The KEK must not be stored in the same location as the encryption keys it is encrypting.

3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data

As we have previously described in this cheat sheet we need to use algorithms which offer high levels of data security. We must also generate strong keys so that the security of the data isn't undermined by weak cryptographic keys. A strong key is generated by using a key length which is sufficient for your data security requirements and compliant with the PCI DSS. The key size alone isn't a measure of the strength of a key. The data used to generate the key must be sufficiently random ("sufficient" often being determined by your data security requirements) and the entropy of the key data itself must be high.

3.6.2 Secure cryptographic key distribution

The method used to distribute keys must be secure to prevent the theft of keys in transit. The use of a protocol such as Diffie Hellman can help secure the distribution of keys, the use of secure transport such as SSLv3, TLS and SSHv2 can also secure the keys in transit.

3.6.3 Secure cryptographic key storage

The secure storage of encryption keys including KEK's has been touched on in our description of requirement 3.5 (see above).

3.6.4 Periodic cryptographic key changes

The PCI DSS standard mandates that keys used for encryption must be rotated at least annually. The key rotation process must remove an old key from the encryption/decryption process and replace it with a new key. All new data entering the system must encrypted with the new key. While it is recommended that existing data be rekeyed with the new key, as per the Rekey data at least every one to three years rule above, it is not clear that the PCI DSS requires this.

3.6.5 Retirement or replacement of keys as deemed necessary when the integrity of the key has been weakened or keys are suspected of being compromised

The key management processes must cater for archived, retired or compromised keys. The process of securely storing and replacing these keys will more than likely be covered by your processes for requirements 3.6.2, 3.6.3 and 3.6.4

3.6.6 Split knowledge and establishment of dual control of cryptographic keys

The requirement for split knowledge and/or dual control for key management prevents an individual user performing key management tasks such as key rotation or deletion. The system should require two individual users to perform an action (i.e. entering a value from their own OTP) which creates to separate values which are concatenated to create the final key data.

3.6.7 Prevention of unauthorized substitution of cryptographic keys

The system put in place to comply with requirement 3.6.6 can go a long way to preventing unauthorised substitution of key data. In addition to the dual control process you should implement strong access control, auditing and logging for key data so that unauthorised access attempts are prevented and logged.

3.6.8 Requirement for cryptographic key custodians to sign a form stating that they understand and accept their key-custodian responsibilities

To perform the strong key management functions we have seen in requirement 3.6 we must have highly trusted and trained key custodians who understand how to perform key management duties. The key custodians must also sign a form stating they understand the responsibilities that come with this role.